There exists firewalls (to be also referred to as FW) as means for improving security of an own terminal or an own network.
The firewall is placed between the own terminal or the own network that requires high security and an external network. The firewall determines whether a packet transmitted from the external network to the own terminal or network, or a packet transmitted from the own terminal or network to the external network is permitted to pass through the firewall according to a predetermined security policy. The firewall performs a filtering process in which, if the packet is permitted to pass through the firewall, the packet is passed through the firewall, and if not, the packet is discarded.
One rule is formed by associating address, protocol type, port number, direction, availability of being passed through, or other condition with each other so that the security policy is formed by plural rules.
In addition, the firewall can be categorized into three types according to its placement.
The first type is, as shown in FIG. 1, a firewall 10 (to be referred to as “terminal base firewall” hereinafter) that is included in the own terminal. The firewall 10 is used for protecting the own terminal 10 against an external network (the Internet, for example) 12.
The second one is, as shown in FIG. 2, a firewall 10 (to be referred to as “CPE base firewall” hereinafter) that is placed at an edge of the own network 13 and is connected to the external network 12. This firewall is used for protecting the own network 13 against the external network 12.
The third one is, as shown in FIG. 3, a firewall 10 (to be referred to as “NW base firewall” hereinafter) that accommodates more than one networks 13 or terminals 11 that are operated by corresponding independent policies and that are required to increase security, and the firewall is placed at a position connecting to the external network 12 and is used for protecting each network 13 or terminal against the external network 12.
As constant connection users are increasing, necessity of security is increasing. Under the circumstances, it is required to provide users who do not have enough knowledge of security with a security service for compensating for lack of skill with low cost. In this view point, among the above-mentioned firewalls, the NW base firewall in which the firewall is provided in the network side is effective.
That is, by using the NW base firewall, economy by integrating accommodated users and reduction of user activities by outsourcing can be expected. However, since it is necessary to provide each user with the security policy, an architecture for constructing virtual firewalls for each user in a physical firewall is required according to the firewall of this method.
FIG. 4 shows a method for constructing the virtual firewall according to a conventional technology. For assigning a virtual firewall to a user's terminal, server or network, a fixed user ID is associated with a virtual firewall ID.
The fixed user ID is a VLAN-ID of a network to which the user's terminal or server belongs, or an IP address of the user's terminal or server. In FIG. 4, an IP address [a.a.a.a] of a sever 211 of a user #a and an IP address [b.b.b.b] of a sever 212 of a user #b are registered in a distribution management table 201 beforehand as fixed user IDs in which the fixed user IDs are associated with virtual firewall IDs 202 and 203 respectively.
Then, for example, in a communication between the sever 211 and a connection partner terminal 213 of the user #a, for a packet 221 sent from the server 221, the distribution management table 201 is referred to by using the source IP address [a.a.a.a] as a search key, and the virtual firewall ID 202 that is associated with the source IP address [a.a.a.a] is retrieved so that the packet 221 is distributed to the virtual firewall 202. In addition, for a packet 222 sent from the connection partner terminal 213, the distribution management table 201 is referred to by using the destination IP address b.b.b.b as a search key, and the virtual firewall ID 203 that is associated with the destination IP address b.b.b.b is retrieved so that the packet 222 is distributed to the virtual firewall 203.
In each of the virtual firewalls 202 and 203, a filtering rule conforming to a security policy defined by the user #a and the user #b, respectively, is described. According to the rule, the packet 221 and the packet 222 are passed or discarded. Accordingly, an attacking packet from an unauthorized access person to the server 211 can be filtered, for example.
This conventional technology is mainly applied to a data center and the like. In the data center, since a fixed user ID is used, the user ID can be registered in the distribution table 201 beforehand.
“Investigation of secure content filtering method in a data center” (IEICE Society conference (2002) B-6-38 2002.8.20) is a prior art document relating to the conventional technology.
As another conventional technology for setting security communications for each user, there is a document (Japanese Laid Open Patent Application No. 2001-298499, “Security communication method, communication system and the apparatus). However, the conventional technology mainly presumes IP sec communications. Security communications for each user defined in the document are merely for determining the strength of an authentication algorithm or an encryption algorithm used for communications according to a request of a user, which is different from a function for filtering attacking packets due to invalid accesses.
In a constant connection service used by a user, a user ID (user IP address) is assigned for the first time when a connection between the user terminal and a network is established. More particularly, the user ID is assigned for the first time when a PPP (Point to Point Protocol) session is established. In addition, the user IP address is generally variable.
Therefore, even if one tries to apply the virtual firewall of the conventional technology to the constant connection service, it is difficult to apply the virtual firewall of the conventional technology to the constant connection service since it is impossible to register a user IP address in the distribution management table beforehand.
In addition, as to the constant connection service, since the number of accommodated users is much larger than a case for applying the firewall to a data center and the like, it is required to increase the number of users to be accommodated simultaneously by the NW based firewall apparatus.
Other than the viewpoint of a placement location of a firewall, the firewall can be classified to two types as follows from a viewpoint of a holding method of the security policy.
A first firewall is one that includes the security policy inside of the firewall. Regular firewalls adopt this method.
Another firewall is one, as shown in FIGS. 5, 6 and 7, that has the security policy outside of the firewall 10. The security policy is distributed to plural firewalls 10.
For each type of before-mentioned firewalls (terminal base firewall, CPE base firewall, or NW base firewall), many of the firewalls include the security policy in the inside.
However, as to the firewall that uses the method for distributing the security policy, Japanese Laid-Open Patent Application No. 2002-544607 discloses applying such method to the terminal base firewall. In addition, a document (┌distributed Firewalls┘ (November 1999, Special issue on Security, ISSN 1044-63971)) discloses applying the method to the CPE base firewall.
In addition, also as to the NW base firewall, when an accommodated network or terminal is statically connected, the same situation as the CPE base firewall applies to the NW base firewall.
However, as to the NW base firewall, in a case where the accommodated network or the terminal is dynamically connected and disconnected, or the accommodating NW base firewall is changed, the method of holding the security policy in the inside of the firewall is not useful since all security policies relating to the networks or the terminals that the firewall may accommodate should be held regardless of the connection and disconnection of the network or the terminal.
Therefore, in such an environment, a NW base firewall apparatus having means for keeping an optimum capacity of the security policies according to connection or disconnection of the network or the terminal becomes necessary.
In addition, as to the NW base firewall having means for loading security policies in response to connection of networks or terminals, since plural networks or terminals are connected to the NW base firewall, the NW base firewall may load many security policies. In this case, processes in the CPU of the NW base firewall for loading security policies becomes large, so that processes of filtering and transferring cannot be performed. Thus, the filtering and transferring performance is affected.
In addition, the apparatus that delivers the security policy cannot distribute the security policy when the distributing amount exceeds the apparatus's performance.
Further, as to a line used for distributing the security policy, when the distributing amount exceeds the circuit capacity, discard or delay may occur in distributing the security policy.
Therefore, a NW base firewall apparatus including means for reducing the security policy amount to be delivered is necessary.